HelpDesk under the hood. Audit of creating user accounts in AD
All welcome.
Only at the beginning of his knowledge of the profession of a system administrator, my boss told me about such a profession (or rather, its direction) as an AD designer. These people clean up the domain and put their accounts in order. Anyone who has come across this and is busy can understand the irritation caused by the clumsy names of the accounts created by some employee who sneezed on your order.
Taking PowerShell in hand, we gave them a fight!
The bottom line is that for HelpDesk, a special division was created in AD (let's call it NewUsers), in which they could create new accounts (we will not discuss delegation of rights to users here).
Their task is to create new accounts as needed in this division.
My task is to track the correctness of filling in the required fields (especially the login) and move it to departments.
It turned out that people did not want to completely think about what, and just like just wandering towards me, asking me to create such a record. For a few weeks, I used the words aside: you yourself can do everything!
Finally, I reached out to them, but this turned out to be only the beginning of the story.
')
In the end, I got a bunch of accounts, it is not clear whose, and most importantly - it is not clear who created. To the question: “who created it?”, All the workers unanimously rejected. Naturally, I was not eager to understand these accounts, and without that I had enough cases.
As responsible for the domain, I had to answer to the head for Tania and Gosha.
I came across a wonderful word - audit.
There were several ways out of this situation. On the one hand, it was possible to all long and hardto throw beads to explain which fields and how to fill. On the other hand, keep track of account creation and, identifying system violators, poke their nose in clumsy names.
The first method did not give any results, so I moved to the second with pain in my heart.
To begin with, I had to set an audit policy for certain departments (in our case, the NewUsers folder) and add a group to the audit, for which we will view (you can not think about groups and just add all users).
Here you can read about the audit of Active Directory Domain Services, and here you will find step by step instructions on how to set up an audit.
As a result, the events of creating new user objects will appear in the security log of the domain controller.
We are also interested in the event with code 5137 (Creating an object in the directory).
Go to the collection of information from the controllers. Of course, if you have 1 CD, you just need to set up a journal filter, and forget about the rest of the article, but then you will have to turn into Uncle Vanya, the guard of the corn field, who is always on duty. In other words - have free time? Look in the security log.
If you want to be yourself and you have more than 1 CD, you should read further.
In PowerShell, view the log on helps cmndlet Get-eventlog. With it, we will choose the messages we need. In order to circumvent problems with signing scripts, we did this: we put the code we need into the profile file and defined it as a function.
For those who are not familiar with the profiles, you can read it or who do not want to leave Habr, this .
Also, to load a profile, you will need to run the command:
Let's return to our sheep. Actually, the code of our function:
For myself, I choose only the recording time of the event, the message and the name of the CD on which all this happened. If this information is not enough for someone, you can expand the list. We write:
and get a complete list of all properties.
The output is carried out in a text file that is on my work computer.
I am also interested in accounts only in a specific department, so we select messages with the path to our folder (OU = NewUsers, DC = contoso, DC = com).
If you are wondering why I choose only 1 last entry, read on.
We need to call this function every time the necessary events appear in the log. To do this, we use the standard task scheduler. How to create a task, I will not tell, I will focus on the important points:
Action: Run the program
Program or script: powershell
Add Arguments: -windowstyle Hidden audit
Trigger:
Assign Task: On Event
Journal: Security
Event ID: 5137
Just do not forget to tick:
"Perform regardless of user registration" - so that the task can be performed without requiring our presence.
"Perform with the highest rights" - so that we have access to the magazine Security.
After creating the job, you can export it to an xml file and thus distribute it to the rest of the CD.
As a result, we received a personal "informer" on each CD, which will respond to the events we need in the security log.
Now you can catch the hand of those who do not comply with the principles of Feng Shui and interfere with the free flow of energy in our domain.
Only at the beginning of his knowledge of the profession of a system administrator, my boss told me about such a profession (or rather, its direction) as an AD designer. These people clean up the domain and put their accounts in order. Anyone who has come across this and is busy can understand the irritation caused by the clumsy names of the accounts created by some employee who sneezed on your order.
Taking PowerShell in hand, we gave them a fight!
No need to litter!
The bottom line is that for HelpDesk, a special division was created in AD (let's call it NewUsers), in which they could create new accounts (we will not discuss delegation of rights to users here).
Their task is to create new accounts as needed in this division.
My task is to track the correctness of filling in the required fields (especially the login) and move it to departments.
It turned out that people did not want to completely think about what, and just like just wandering towards me, asking me to create such a record. For a few weeks, I used the words aside: you yourself can do everything!
Finally, I reached out to them, but this turned out to be only the beginning of the story.
')
In the end, I got a bunch of accounts, it is not clear whose, and most importantly - it is not clear who created. To the question: “who created it?”, All the workers unanimously rejected. Naturally, I was not eager to understand these accounts, and without that I had enough cases.
As responsible for the domain, I had to answer to the head for Tania and Gosha.
I came across a wonderful word - audit.
Solutions
There were several ways out of this situation. On the one hand, it was possible to all long and hard
The first method did not give any results, so I moved to the second with pain in my heart.
To begin with, I had to set an audit policy for certain departments (in our case, the NewUsers folder) and add a group to the audit, for which we will view (you can not think about groups and just add all users).
Here you can read about the audit of Active Directory Domain Services, and here you will find step by step instructions on how to set up an audit.
As a result, the events of creating new user objects will appear in the security log of the domain controller.
We are also interested in the event with code 5137 (Creating an object in the directory).
Go to the collection of information from the controllers. Of course, if you have 1 CD, you just need to set up a journal filter, and forget about the rest of the article, but then you will have to turn into Uncle Vanya, the guard of the corn field, who is always on duty. In other words - have free time? Look in the security log.
If you want to be yourself and you have more than 1 CD, you should read further.
And what about PowerShell?
In PowerShell, view the log on helps cmndlet Get-eventlog. With it, we will choose the messages we need. In order to circumvent problems with signing scripts, we did this: we put the code we need into the profile file and defined it as a function.
For those who are not familiar with the profiles, you can read it or who do not want to leave Habr, this .
Also, to load a profile, you will need to run the command:
Set-ExecutionPolicy RemoteSignedLet's return to our sheep. Actually, the code of our function:
function Audit
{
Get-eventlog security -InstanceID "5137" -Newest 1 |
Where-Object {$_.Message -match "OU=NewUsers,DC=contoso,DC=com"} |
Select-object TimeWritten,Message,MachineName | Format-list | out-file \\MyComp\d$\Audit.txt -append
}
For myself, I choose only the recording time of the event, the message and the name of the CD on which all this happened. If this information is not enough for someone, you can expand the list. We write:
Get-eventlog security -InstanceID "5137" | get-memberand get a complete list of all properties.
The output is carried out in a text file that is on my work computer.
I am also interested in accounts only in a specific department, so we select messages with the path to our folder (OU = NewUsers, DC = contoso, DC = com).
If you are wondering why I choose only 1 last entry, read on.
We need to call this function every time the necessary events appear in the log. To do this, we use the standard task scheduler. How to create a task, I will not tell, I will focus on the important points:
Action: Run the program
Program or script: powershell
Add Arguments: -windowstyle Hidden audit
Trigger:
Assign Task: On Event
Journal: Security
Event ID: 5137
Just do not forget to tick:
"Perform regardless of user registration" - so that the task can be performed without requiring our presence.
"Perform with the highest rights" - so that we have access to the magazine Security.
After creating the job, you can export it to an xml file and thus distribute it to the rest of the CD.
Snitch do not like
As a result, we received a personal "informer" on each CD, which will respond to the events we need in the security log.
Now you can catch the hand of those who do not comply with the principles of Feng Shui and interfere with the free flow of energy in our domain.
Source: https://habr.com/ru/post/127935/
All Articles